All, Four-way Handshake (TCP conn. tear down) A: Sever B: Client 1. (B) --> ACK/FIN --> (A) 2. (B) <-- ACK <-- (A) 3. (B) <-- ACK/FIN <-- (A) 4. (B) --> ACK --> (A) Dec 11 02:59:59 bob kernel: New not syn:IN=eth1 OUT= MAC=00:e0:29:22:10:80:00:06:2a:cf:ec:54:08:00 SRC=205.156.51.200 DST=<my ip> LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=23535 PROTO=TCP SPT=80 DPT=54248 WINDOW=65500 RES=0x00 ACK FIN URGP=0 This one has "ACK FIN" Flags Dec 11 00:35:50 bob kernel: New not syn:IN=eth1 OUT= MAC=00:e0:29:22:10:80:00:06:2a:cf:ec:54:08:00 SRC=207.68.181.238 DST=<mi ip> LEN=471 TOS=0x00 PREC=0x00 TTL=62 ID=53655 PROTO=TCP SPT=80 DPT=3299 WINDOW=8760 RES=0x00 ACK PSH FIN URGP=0 This one has "ACK PSH FIN" Flags ACK (Acknowledge Flag) When set indicates that the Acknowledgement Number is being used. PSH (Push Flag) An upper level protocol requires immediate data delivery and would use the Push (PSH) flag to immediately forward all of the queued data to the destination. FIN (Finish Flag) When set, it indicates that this is the last data from the sender. I think this means that your side is dropping the packet when it gets to step #3 "(B) <-- ACK/FIN <-- (A)" of the TCP tears down process. Does this make sence? ::dc:: David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _ tech@linux-tech.com | | |\ | | | \/ | |___ | |__| http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | | ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
